CIPM Scenario Practice Exam 71 Questions with Verified Answers,100% CORRECT

CIPM Scenario Practice Exam 71 Questions with Verified Answers Based on Albert's observations regarding recent security incidents, which of the following should he suggest as a priority for Treasure Box? A. Appointing an internal ombudsman to address employee complaints regarding hours and pay. B. Using a third-party auditor to address privacy protection issues not recognized by the prior internal audits. C. Working with the Human Resources department to make screening procedures for potential employees more rigorous. D. Evaluating the company's ability to handle personal health information if the plan to acquire the medical supply company goes forward - CORRECT ANSWER Using a third-party auditor to address privacy protection issues not recognized by the prior internal audits. Based on Albert's observations, executive leadership should most likely pay closer attention to what? A. Awareness campaigns with confusing information B. Obsolete data processing systems C. Outdated security frameworks D. Potential in-house threats - CORRECT ANSWER Outdated security frameworks How can Consolidated's privacy training program best be further developed? A. Through targeted curricula designed for specific departments B. By adopting e-learning to reduce the need for instructors C. By using industry standard off-the-shelf programs D. Through a review of recent data breaches - CORRECT ANSWER Through targeted curricula designed for specific departments How was Pacific Suites responsible for protecting the sensitive information of its offshoot, PHT? A. As the parent company, it should have transferred personnel to oversee the secure handling of PHT's data. B. As the parent company, it should have performed an assessment of PHT's infrastructure and confirmed complete separation of the two networks. C. As the parent company, it should have ensured its existing data access and storage procedures were integrated into PHT's system. D. As the parent company, it should have replaced PHT's electronic files with hard-copy documents stored securely on site. - CORRECT ANSWER As the parent company, it should have transferred personnel to oversee the secure handling of PHT's data. How would a strong data life cycle management policy have helped prevent the breach? A. Information would have been ranked according to importance and stored in separate locations B. The most sensitive information would have been immediately erased and destroyed C. The most important information would have been regularly assessed and tested for security D. Information would have been categorized and assigned a deadline for destruction - CORRECT ANSWER Information would have been categorized and assigned a deadline for destruction In consideration of the company's new initiatives, which of the following laws and regulations would be most appropriate for Albert to mention at the interview as a priority concern for the privacy team? A. Gramm-Leach-Bliley Act (GLBA) B. The General Data Protection Regulation (GDPR) C. The Telephone Consumer Protection Act (TCPA) D. Health Insurance Portability and Accountability Act (HIPAA) - CORRECT ANSWER Health Insurance Portability and Accountability Act (HIPAA) (This is important because they are considering acquiring a med co. in the US) In terms of compliance with regulatory and legislative changes, Anton has a misconception regarding? A. The timeline for monitoring B. The method of recordkeeping C. The use of internal employees D. The type of required qualifications - CORRECT ANSWER The timeline for monitoring In the Information Technology engineers had originally set the default for customer credit card information to "Do Not Save," this action would have been in line with what concept? A. Use limitation B. Privacy by Design C. Harm minimization D. Reactive risk management - CORRECT ANSWER Privacy by Design On which of the following topics does Albert most likely need additional knowledge? A. The role of privacy in retail companies B. The necessary maturity level of privacy programs C. The possibility of delegating responsibilities related to privacy D. The requirements for a managerial position with privacy protection duties - CORRECT ANSWER The requirements for a managerial position with privacy protection duties Regarding the credit monitoring, which of the following would be the greatest concern? A. The vendor's representative does not have enough experience B. Signing a contract with CRUDLOK which lasts longer than one year C. The company did not collect enough identifiers to monitor one's credit D. You are going to notify affected individuals via a letter followed by an email - CORRECT ANSWER The company did not collect enough identifiers to monitor one's credit (......First name and last 4 of national identifier is not enough) Regarding the notification, which of the following would be the greatest concern? A. Informing the affected individuals that data from other individuals may have also been affected. B. Collecting more personally identifiable information than necessary to provide updates to the affected individuals. C. Using a postcard with the logo of the vendor who make the mistake instead of your company's logo. D. Trusting a vendor to send out a notice when they already failed once by not encrypting the database - CORRECT ANSWER Collecting more personally identifiable information than necessary to provide updates to the affected individuals. SCENARIO - CONSOLODATED RECORDS CORPORATION As the director of data protection for Consolidated Records Corporation, you are justifiably pleased with your accomplishments so far. Your hiring was precipitated by warnings from regulatory agencies following a series of relatively minor data breaches that could easily have been worse. However, you have not had a reportable incident for the three years that you have been with the company. In fact, you consider your program a model that others in the data storage industry may note in their own program development. You started the program at Consolidated from a jumbled mix of policies and procedures and worked toward coherence across departments and throughout operations. You were aided along the way by the program's sponsor, the vice president of operations, as well as by a Privacy Team that started from a clear understanding of the need for change. Initially, your work - CORRECT ANSWER USE THIS PARAGRAPH FOR THE NEXT FEW QUESTIONS UNTIL THE NEXT SCENARIO IS LISTED SCENARIO - CONSOLODATED RECORDS CORPORATION - CORRECT ANSWER ANSWER THESE CARDS IN ORDER AND USE THE NEXT CARD FOR THE FOLLOWING QUESTIONS SCENARIO - PACIFIC HOSPITALITY TRAINING - HOTEL CHAIN Martin Briseño is the director of human resources at the Canyon City location of the U.S. hotel chain Pacific Suites. In 1998, Briseño decided to change the hotel's on-the-job mentoring model to a standardized training program for employees who were progressing from line positions into supervisory positions. He developed a curriculum comprising a series of lessons, scenarios, and assessments, which was delivered in-person to small groups. Interest in the training increased, leading Briseño to work with corporate HR specialists and software engineers to offer the program in an online format. The online program saved the cost of a trainer and allowed participants to work through the material at their own pace. Upon hearing about the success of Briseño's program, Pacific Suites corporate Vice President Maryanne Silva-Hayes expanded the training and offered it c - CORRECT ANSWER USE THIS PARAGRAPH FOR THE NEXT FEW QUESTIONS UNTIL THE NEXT SCENARIO IS LISTED SCENARIO - PACIFIC HOSPITALITY TRAINING - HOTEL CHAIN - CORRECT ANSWER ANSWER THESE CARDS IN ORDER AND USE THE NEXT CARD FOR THE FOLLOWING QUESTIONS SCENARIO - THE HANDY HELPER PRODUCT GOES TO EU Manasa is a product manager at Omnipresent Omnimedia, where she is responsible for leading the development of the company's flagship product, the Handy Helper. The Handy Helper is an application that can be used in the home to manage family calendars, do online shopping, and schedule doctor appointments. After having had a successful launch in the United States, the Handy Helper is about to be made available for purchase worldwide. The packaging and user guide for the Handy Helper indicate that it is a "privacy friendly" product suitable for the whole family, including children, but does not provide any further detail or privacy notice. In order to use the application, a family creates a single account, and the primary user has access to all information about the other users. Upon start up, the primary user must check a box consenting to receive marketing emails from - CORRECT ANSWER ANSWER THESE CARDS IN ORDER AND USE THE NEXT CARD FOR THE FOLLOWING QUESTIONS SCENARIO - THE HANDY HELPER PRODUCT GOES TO EU - CORRECT ANSWER USE THIS PARAGRAPH FOR THE NEXT FEW QUESTIONS UNTIL THE NEXT SCENARIO IS LISTED SCENARIO - THOMAS, THE COMPANY'S NEW CEO - CORRECT ANSWER ANSWER THESE CARDS IN ORDER AND USE THE NEXT CARD FOR THE FOLLOWING QUESTIONS SCENARIO - VENDOR BREACH AND POSTCARDS - CORRECT ANSWER ANSWER THESE CARDS IN ORDER AND USE THE NEXT CARD FOR THE FOLLOWING QUESTIONS SCENARIO ALBERT & TREASURE BOX For 15 years, Albert has worked at Treasure Box - a mail order company in the United States (U.S.) that used to sell decorative candles around the world, but has recently decided to limit its shipments to customers in the 48 contiguous states. Despite his years of experience, Albert is often overlooked for managerial positions. His frustration about not being promoted, coupled with his recent interest in issues of privacy protection, have motivated Albert to be an agent of positive change. He will soon interview for a newly advertised position, and during the interview, Albert plans on making executives aware of lapses in the company's privacy program. He feels certain he will be rewarded with a promotion for preventing negative consequences resulting from the company's outdated policies and procedures. For example, Albert has learned about the AICPA (American Institute of Certifi - CORRECT ANSWER USE THIS PARAGRAPH FOR THE NEXT FEW QUESTIONS UNTIL THE NEXT SCENARIO IS LISTED SCENARIO ALBERT & TREASURE BOX - CORRECT ANSWER ANSWER THESE CARDS IN ORDER AND USE THE NEXT CARD FOR THE FOLLOWING QUESTIONS SCENARIO: CEO PAUL & HIS SON CARLTON'S VENTURE: Paul Daniels, with years of experience as a CEO, is worried about his son Carlton's successful venture, Gadgo. A technological innovator in the communication industry that quickly became profitable, Gadgo has moved beyond its startup phase. While it has retained its vibrant energy, Paul fears that under Carlton's direction, the company may not be taking its risks or obligations as seriously as it needs to. Paul has hired you, a privacy Consultant, to assess the company and report to both father and son. "Carlton won't listen to me," Paul says, "but he may pay attention to an expert." Gadgo's workplace is a clubhouse for innovation, with games, toys, snacks, espresso machines, giant fish tanks and even an iguana who regards you with little interest. Carlton, too, seems bored as he describes to you the company's procedures and technologies for data protection. It's a l - CORRECT ANSWER USE THIS PARAGRAPH FOR THE NEXT FEW QUESTIONS UNTIL THE NEXT SCENARIO IS LISTED SCENARIO: CEO PAUL & HIS SON'S VENTURE - CORRECT ANSWER ANSWER THESE CARDS IN ORDER AND USE THE NEXT CARD FOR THE FOLLOWING QUESTIONS SCENARIO: CHICAGO SOCIETY FOR URBAN GREENSPACE - CORRECT ANSWER ANSWER THESE CARDS IN ORDER AND USE THE NEXT CARD FOR THE FOLLOWING QUESTIONS SCENARIO: CHICAGO SOCIETY FOR URBAN GREENSPACE: Your organization, the Chicago (U.S.)-based Society for Urban Greenspace, has used the same vendor to operate all aspects of an online store for several years. As a small nonprofit, the Society cannot afford the higher-priced options, but you have been relatively satisfied with this budget vendor, Shopping Cart Saver (SCS). Yes, there have been some issues. Twice, people who purchased items from the store have had their credit card information used fraudulently subsequent to transactions on your site, but in neither case did the investigation reveal with certainty that the Society's store had been hacked. The thefts could have been employee-related. Just as disconcerting was an incident where the organization discovered that SCS had sold information it had collected from customers to third parties. However, as Jason Roland, your SCS account representative, points out - CORRECT ANSWER USE THIS PARAGRAPH FOR THE NEXT FEW QUESTIONS UNTIL THE NEXT SCENARIO IS LISTED SCENARIO: EDUFOX CONFERENCE AND OUTSOURCED APP DEVELOPERS - CORRECT ANSWER ANSWER THESE CARDS IN ORDER AND USE THE NEXT CARD FOR THE FOLLOWING QUESTIONS SCENARIO: EDUFOX CONFERENCE AND OUTSOURCED APP DEVELOPERS: Edufox has hosted an annual convention of users of its famous e-learning software platform, and over time, it has become a grand event. It fills one of the large downtown conference hotels and overflows into the others, with several thousand attendees enjoying three days of presentations, panel discussions and networking. The convention is the centerpiece of the company's product rollout schedule and a great training opportunity for current users. The sales force also encourages prospective clients to attend to get a better sense of the ways in which the system can be customized to meet diverse needs and understand that when they buy into this system, they are joining a community that feels like family. This year's conference is only three weeks away, and you have just heard news of a new initiative supporting it: a smartphone app for attendees. The app wi - CORRECT ANSWER USE THIS PARAGRAPH FOR THE NEXT FEW QUESTIONS UNTIL THE NEXT SCENARIO IS LISTED SCENARIO: HENRY HOME FURNISHINGS AND THE NEW OWNER ANTON Henry Home Furnishings has built high-end furniture for nearly forty years. However, the new owner, Anton, has found some degree of disorganization after touring the company headquarters. His uncle Henry has always focused on production - not data processing - and Anton is concerned. In several storage rooms, he has found paper files, disks, and old computers that appear to contain the personal data of current and former employees and customers. Anton knows that a single break-in could irrevocably damage the company's relationship with its loyal customers. He intends to set a goal of guaranteed zero loss of personal information. To this end, Anton originally planned to place restrictions on who was admitted to the physical premises of the company. However, Kenneth - his uncle's vice president and longtime confidante - wants to hold off on Anton's idea in fav - CORRECT ANSWER USE THIS PARAGRAPH FOR THE NEXT FEW QUESTIONS UNTIL THE NEXT SCENARIO IS LISTED SCENARIO: HENRY HOME FURNISHINGS AND THE NEW OWNER ANTON - CORRECT ANSWER ANSWER THESE CARDS IN ORDER AND USE THE NEXT CARD FOR THE FOLLOWING QUESTIONS SCENARIO: PENNY & ACE SPACE Please use the following to answer the next question: Penny has recently joined Ace Space, a company that sells homeware accessories online, as its new privacy officer. The company is based in California but thanks to some great publicity from a social media influencer last year, the company has received an influx of sales from the EU and has set up a regional office in Ireland to support this expansion. To become familiar with Ace Space's practices and assess what her privacy priorities will be, Penny has set up meetings with a number of colleagues to hear about the work that they have been doing and their compliance efforts. Penny's colleague in Marketing is excited by the new sales and the company's plans, but is also concerned that Penny may curtail some of the growth opportunities he has planned. He tells her "I heard someone in the breakroom talking about some new privacy laws but - CORRECT ANSWER USE THIS PARAGRAPH FOR THE NEXT FEW QUESTIONS UNTIL THE NEXT SCENARIO IS LISTED SCENARIO: PENNY & ACE SPACE - CORRECT ANSWER ANSWER THESE CARDS IN ORDER AND USE THE NEXT CARD FOR THE FOLLOWING QUESTIONS SCENARIO: THOMAS, THE COMPANY'S NEW CEO As they company's new chief executive officer, Thomas Goddard wants to be known as a leader in data protection. Goddard recently served as the chief financial officer of H, a pioneer in online video viewing with millions of users around the world. Unfortunately, Hoopy is infamous within privacy protection circles for its ethically questionable practices, including unauthorized sales of personal data to marketers. Hoopy also was the target of credit card data theft that made headlines around the world, as at least two million credit card numbers were thought to have been pilfered despite the company's claims that "appropriate" data protection safeguards were in place. The scandal affected the company's business as competitors were quick to market an increased level of protection while offering similar entertainment and media content. Within three weeks after the scand - CORRECT ANSWER USE THIS PARAGRAPH FOR THE NEXT FEW QUESTIONS UNTIL THE NEXT SCENARIO IS LISTED SCENARIO: VENDOR BREACH AND POSTCARDS You lead the privacy office for a company that handles information from individuals living in several countries throughout Europe and the Americas. You begin that morning's privacy review when a contracts officer sends you a message asking for a phone call. The message lacks clarity and detail, but you presume that data was lost. When you contact the contracts officer, he tells you that he received a letter in the mail from a vendor stating that the vendor improperly shared information about your customers. He called the vendor and confirmed that your company recently surveyed exactly 2000 individuals about their most recent healthcare experience and sent those surveys to the vendor to transcribe it into a database, but the vendor forgot to encrypt the database as promised in the contract. As a result, the vendor has lost control of the data. The vendor is extremely apologetic - CORRECT ANSWER USE THIS PARAGRAPH FOR THE NEXT FEW QUESTIONS UNTIL THE NEXT SCENARIO IS LISTED Since it is too late to restructure the contract with the vendor or prevent the app from being deployed, what is the best step for you to take next? A. Implement a more comprehensive suite of information security controls than the one used by the vendor B. Ask the vendor for verifiable information about their privacy protections so weaknesses can be identified C. Develop security protocols for the vendor and mandate that they be deployed D. Insist on an audit of the vendor's privacy procedures and safeguards - CORRECT ANSWER Ask the vendor for verifiable information about their privacy protections so weaknesses can be identified The CEO likes what he's seen of the company's improved privacy program, but wants additional assurance that it is fully compliant with industry standards and reflects emerging best practices. What would best help accomplish this goal? A. An external audit conducted by a panel of industry experts B. An internal audit team accountable to upper management C. Creation of a self-certification framework based on company policies D. Revision of the strategic plan to provide a system of technical controls - CORRECT ANSWER An external audit conducted by a panel of industry experts The company has achieved a level of privacy protection that established new best practices for the industry. What is a logical next step to help ensure a high level of protection? A. Brainstorm methods for developing an enhanced privacy framework B. Develop a strong marketing strategy to communicate the company's privacy practices C. Focus on improving the incident response plan in preparation for any breaks in protection D. Shift attention to privacy for emerging technologies as the company begins to use them - CORRECT ANSWER Focus on improving the incident response plan in preparation for any breaks in protection The company may start to earn back the trust of its customer base by following Albert's suggestion regarding which handling procedure? A. Access B. Correction C. Escalation D. Data Integrity - CORRECT ANSWER Access To establish the current baseline of Ace Space's privacy maturity, Penny should consider all of the following factors EXCEPT? A. Ace Space's documented procedures B. Ace Space's employee training program C. Ace Space's vendor engagement protocols D. Ace Space's content sharing practices on social media - CORRECT ANSWER Ace Space's content sharing practices on social media To help Penny and her CEO with their objectives, what would be the most helpful approach to address her IT concerns? A. Roll out an encryption policy B. Undertake a tabletop exercise C. Ensure inventory of IT assets is maintained D. Host a town hall discussion for all IT employees - CORRECT ANSWER Ensure inventory of IT assets is maintained To improve the facility's system of data security, Anton should consider following through with the plan for which of the following? A. Customer communication B. Employee access to electronic storage C. Employee advisement regarding legal matters D. Controlled access at the company headquarters - CORRECT ANSWER Controlled access at the company headquarters What administrative safeguards should be implemented to protect the collected data while in use by Manasa and her product management team? A. Document the data flows for the collected data B. Conduct a privacy impact assessment (PIA) to evaluate the risks involved C. Implement a policy restricting data access on a "need to know" basis D. Limit data transfers to the US by keeping data collected in Europe within a local data center - CORRECT ANSWER Implement a policy restricting data access on a "need to know" basis What analytic can be used to track the financial viability of the program as it develops? A. Cost basis B. Gap analysis C. Return on investment D. Breach impact modeling - CORRECT ANSWER Return on investment What can Sanjay do to minimize the risks of offering the product in Europe? A. Sanjay should advise the distributor that Omnipresent Omnimedia has certified to the Privacy Shield Framework and there should be no issues. B. Sanjay should work with Manasa to review and remediate the Handy Helper as a gating item before it is released. C. Sanjay should document the data life cycle of the data collected by the Handy Helper. D. Sanjay should write a privacy policy to include with the Handy Helper user guide. - CORRECT ANSWER Sanjay should work with Manasa to review and remediate the Handy Helper as a gating item before it is released. (................review and remediate seems like "assess risks and mitigate" using other words, and that is what should be done) What information will be LEAST crucial from a privacy perspective in Penny's review of vendor contracts? A. Audit rights B. Liability for a data breach C. Pricing for data security protections D. The data a vendor will have access to - CORRECT ANSWER Pricing for data security protections What is one important factor that Albert fails to consider regarding Treasure Box's response to their recent security incident? A. Who has access to the data B. What the nature of the data is C. How data at the company is collected D. How long data at the company is kept - CORRECT ANSWER What the nature of the data is What is the best way for Penny to understand the location, classification and processing purpose of the personal data Ace Space has? A. Analyze the data inventory to map data flows B. Audit all vendors' privacy practices and safeguards C. Conduct a Privacy Impact Assessment for the company D. Review all cloud contracts to identify the location of data servers used - CORRECT ANSWER Analyze the data inventory to map data flows What is the best way for your vendor to be clear about the Society's breach notification expectations? A. Include notification provisions in the vendor contract B. Arrange regular telephone check-ins reviewing expectations C. Send a memorandum of understanding on breach notification D. Email the regulations that require breach notifications - CORRECT ANSWER Include notification provisions in the vendor contract What is the best way to prevent the Finnish vendor from transferring data to another party? A. Restrict the vendor to using company security controls B. Offer company resources to assist with the processing C. Include transfer prohibitions in the vendor contract D. Lock the data down in its current location - CORRECT ANSWER Include transfer prohibitions in the vendor contract What is the most concerning limitation of the incident-response council? A. You convened it to diffuse blame B. The council has an overabundance of attorneys C. It takes eight hours of emails to come to a decision D. The leader just joined the company as a consultant - CORRECT ANSWER It takes eight hours of emails to come to a decision What key mistake set the company up to be vulnerable to a security breach? A. Collecting too much information and keeping it for too long B. Overlooking the need to organize and categorize data C. Failing to outsource training and data management to professionals D. Neglecting to make a backup copy of archived electronic files - CORRECT ANSWER Collecting too much information and keeping it for too long What must Pacific Suite's primary focus be as it manages this security breach? A. Minimizing the amount of harm to the affected individuals B. Investigating the cause and assigning responsibility C. Determining whether the affected individuals should be notified D. Maintaining operations and preventing publicity - CORRECT ANSWER Minimizing the amount of harm to the affected individuals What phase in the Privacy Maturity Model (PMM) does Gadgo's privacy program best exhibit? A. Ad hoc B. Defined C. Repeatable D. Managed - CORRECT ANSWER Ad hoc What practice would afford the Director the most rigorous way to check on the program's compliance with laws, regulations and industry best practices? A. Auditing B. Monitoring C. Assessment D. Forensics - CORRECT ANSWER Auditing What process can best answer your questions about the vendor's data security safeguards? A. A second-party of supplier audit B. A reference check with other clients C. A table top demonstration of a potential threat D. A public records search for earlier legal violations - CORRECT ANSWER A second-party of supplier audit What process could most effectively be used to add privacy protections to a new, comprehensive program being developed at Consolidated? A. Privacy by Design B. Privacy Step Assessment C. Information Security Planning D. Innovation Privacy Standards - CORRECT ANSWER Privacy by Design What safeguard can most efficiently ensure that privacy protection is a dimension of relationships with vendors? A. Include appropriate language about privacy protection in vendor contracts B. Perform a privacy audit on any vendor under consideration C. Require that a person trained in privacy protection be part of all vendor selection teams D. Do business only with vendors who are members of privacy trade associations - CORRECT ANSWER Include appropriate language about privacy protection in vendor contracts What security controls are missing from the Eureka program? A. Storage of medical data in the cloud is not permissible under the General Data Protection Regulation (GDPR) B. Data access is not limited to those who "need to know" for their role C. Collection of data without a defined purpose might violate the fairness principle D. Encryption of the data at rest prevents European users from having the right of access and the right of portability of their data - CORRECT ANSWER Data access is not limited to those who "need to know" for their role What stage of the privacy operational life cycle best describes Consolidated's current privacy program? A. Assess B. Protect C. Respond D. Sustain - CORRECT ANSWER Sustain What would be the best kind of audit to recommend for Gadgo? A. A supplier audit B. An internal audit C. A third-party audit D. A self-certification - CORRECT ANSWER A third-party audit What would the company's legal team most likely recommend to Anton regarding his planned communication with customers? A. To send consistent communication B. To shift to electronic communication C. To delay communications until local authorities are informed D. To consider under what circumstances communication is necessary - CORRECT ANSWER To consider under what circumstances communication is necessary Which important principle of Data Lifecycle Management (DLM) will most likely be compromised if Anton executes his plan to limit data access to himself and Kenneth? A. Practicing data minimalism B. Ensuring data retrievability C. Implementing clear policies D. Ensuring adequacy of infrastructure - CORRECT ANSWER Ensuring data retrievability Which is the best first step in understanding the data security practices of a potential vendor? A. Requiring the vendor to complete a questionnaire assessing International Organization for Standardization (ISO) 27001 compliance. B. Conducting a physical audit of the vendor's facilities. C. Conducting a penetration test of the vendor's data security structure. D. Examining investigation records of any breaches the vendor has experienced. - CORRECT ANSWER Requiring the vendor to complete a questionnaire assessing International Organization for Standardization (ISO) 27001 compliance. Which of Anton's plans for improving the data management of the company is most unachievable? A. His initiative to achieve regulatory compliance B. His intention to transition to electronic storage C. His objective for zero loss of personal information D. His intention to send notice letters to customers and employees - CORRECT ANSWER His objective for zero loss of personal information Which of the following elements of the incident did you adequately determine? A. The nature of the data elements impacted B. The likelihood the incident may lead to harm C. The likelihood that the information is accessible and usable D. The number of individuals whose information was affected - CORRECT ANSWER The likelihood the incident may lead to harm Which of the following should be your biggest concern? A. An open programming model that results in easy access B. An unwillingness of cloud providers to provide security information C. A lack of vendors in the cloud computing market D. A reduced resilience of data structures that may lead to data loss. - CORRECT ANSWER A reduced resilience of data structures that may lead to data loss Which of the following was done CORRECTLY during the above incident? A. The process by which affected individuals sign up for email notifications B. Your assessment of which credit monitoring company you should hire C. The speed at which you sat down to reflect and document the incident D. Finding a vendor who will offer the affected individuals additional services - CORRECT ANSWER The speed at which you sat down to reflect and document the incident (..............everything else was done very-poorly) Which of the following would be most effectively used as a guide to a systems approach to implementing data protection? A. Data Life Cycle Management Standards B. United Nations Privacy Agency Standards C. International Organization for Standardization 9000 Series D. International Organization for Standardization 27000 Series - CORRECT ANSWER Data Life Cycle Management Standards You are charged with making sure that privacy safeguards are in place for new products and initiatives. What is the best way to do this? A. Hold a meeting with stakeholders to create an interdepartmental protocol for new initiatives B. Institute Privacy by Design principles and practices across the organization C. Develop a plan for introducing privacy protections into the product development stage - CORRECT ANSWER Institute Privacy by Design principles and practices across the organization You give a presentation to your CEO about privacy program maturity. What does it mean to have a "managed" privacy program, according to the AICPA/CICA Privacy Maturity Model? A. Procedures or processes exist, however they are not fully documented and do not cover all relevant aspects. B. Procedures and processes are fully documented and implemented, and cover all relevant aspects. C. Reviews are conducted to assess the effectiveness of the controls in place. D. Regular review and feedback are used to ensure continuous improvement toward optimization of the given process. - CORRECT ANSWER Reviews are conducted to assess the effectiveness of the controls in place. You see evidence that company employees routinely circumvent the privacy officer in developing new initiatives. How can you best draw attention to the scope of this problem? A. Insist upon one-on-one consultation with each person who works around the privacy officer. B. Develop a metric showing the number of initiatives launched without consultation and include it in reports, presentations, and consultation. C. Hold discussions with the department head of anyone who fails to consult with the privacy officer. D. Take your concerns straight to the Chief Executive Officer. - CORRECT ANSWER Develop a metric showing the number of initiatives launched without consultation and include it in reports, presentations, and consultation. You want to point out that normal protocols have not been followed in this matter. Which process in particular has been neglected? A. Forensic inquiry B. Data mapping C. Privacy breach prevention D. Vendor due diligence or vetting - CORRECT ANSWER Vendor due diligence or vetting